Port Numbers

At design time, select port numbers for each Directory Server and Directory Proxy Server instance.
If possible, do not change port numbers after your directory service is deployed
in a production environment.

Separate port numbers must be allocated for various services and components.

Specify the port number for accepting LDAP connections. The standard
port for LDAP communication is 389, although other ports can be used. For
example, if you must be able to start the server as a regular user, use an
unprivileged port, by default 1389. Port numbers less than 1024 require privileged
access. If you use a port number that is less than 1024, certain LDAP commands
must be run as root.

Specify the port number for accepting SSL-based connections. The standard
port for SSL-based LDAP (LDAPS) communication is 636, although other ports
can be used, such as the default 1636 when running as a regular user. For
example, an unprivileged port might be required so that the server can be
started as a regular user.

If you specify a non-privileged port and a server instance is installed
on a system to which other users have access, you might expose the port to
a hijack risk by another application. In other words, another application
can bind to the same address/port pair. The rogue application might then be
able to process requests that are intended for the server. The application
could also be used to capture passwords used in the authentication process,
to alter client requests or server responses, or to produce a denial of service
attack.

Both Directory Server and Directory Proxy Server allow you to restrict
the list of IP addresses on which the server listens. Directory Server has
configuration attributes nsslapd-listenhost and nsslapd-securelistenhost. Directory Proxy Server has listen-address properties
on ldap-listener and ldaps-listener configuration
objects. When you specify the list of interfaces on which to listen, other
programs are prevented from using the same port numbers as your server.

Directory Server DSML Port Numbers

In addition to processing requests in LDAP, Directory Server also
responds to requests sent in the Directory Service Markup Language v2 (DSML).
DSML is another way for a client to encode directory operations. Directory Server processes
DSML as any other request, with the same access control and security features.

If your topology includes DSML access, identify the following:

A standard HTTP port for receiving DSML requests. The default
port is 80.

If SSL is activated, an encrypted (HTTPS) port for receiving
encrypted DSML requests. The default port is 443.

A relative URL that, when appended to the host and port, determines
the complete URL that clients must use to send DSML requests

Directory Service Control Center and Common Agent Container Port Numbers

Directory Service Control Center, DSCC, is a web application for Sun Java Web Console
that enables you to administer Directory Server and Directory Proxy Server instances
through a web browser. For a server to be recognized by DSCC, the
server must be registered with DSCC. Unregistered servers can still
be managed using command-line utilities.

DSCC communicates with DSCC agents located on the
systems where servers are installed. The DSCC agents run inside a
common agent container, which routes network traffic to them and provides
them a framework in which to run.

If you plan to use DSCC to administer servers in your topology,
identify the following port numbers.

The encrypted HTTPS port for accessing DSCC through
Sun Java Web Console on the system where DSCC is installed. The default
port is 6789.

The management traffic port for DSCC to access its
agents local to the server through the common agent container, default: 11162,
on the system where the server instances are installed.

The port numbers for the DSCC Registry instance,
if you plan to replicate the configuration information. See dsccsetup(1M) for
details.

Even if all components are installed on the same system, DSCC still
communicates with its agents through these network ports.

Identity Synchronization for Windows Port Numbers

If your deployment includes identity synchronization with Microsoft
Active Directory, an available port is required for the Message Queue instance.
This port must be available on each Directory Server instance that participates
in the synchronization. The default non-secure port for Message Queue is 80,
and the default secure port is 443.